Welcome to CyberIntelMag’s weekly roundup! A place where you can read the most important stories in the cybersecurity world from the past week.
From the good news:
This week we’ve seen new cumulative updates and a security tool from Microsoft to protect from spreading attacks on its Exchange Servers, an FBI advisory for schools, the first-ever advisory for nurseries and childminders about cyber-attacks, and more.
- CISA released CISA Hunt and Incident Response Program (CHIRP) – a tool that detects malicious activity associated with the SolarWinds compromises in on-premise systems.
- The FBI released an advisory about a spike in attacks against US and UK schools in which attackers use ransomware to steal data and demand a ransom. Meanwhile, the UK government’s National Cyber Security Centre (NCSC) issued the first-ever advisory for nurseries and childminders about the dangers of cyber-attacks.
- Microsoft released Exchange Server 2016 and 2019 cumulative updates (CUs) that address the four ProxyLogon critical flaws and calls it the most complete mitigation available. Earlier this week, Microsoft released a tool for mitigating the ProxyLogon vulnerabilities in Microsoft Exchange Servers prior to patching and recommended using the new script over the previously released ExchangeMitigations.ps1 script.
- Trustwave analyzed China Chopper, a web shell used by Hafnium, and called it a “slick little web shell that does not get enough exposure and credit for its stealth.”
From the bad news:
This week brought more attacks on Microsoft Exchange Servers, flaws in popular WordPress plugins, new malware, a novel way attackers use to hide their activity, and more.
- Avast researchers discovered that over 30 hacker groups are using a malware crypter OnionCrypter. The crypter uses multiple layers of encryption to evade detection.
- VMware on Thursday announced its acquisition of Mesh7, a company that secures cloud-native applications. VMware will integrate Mesh7’s product with the VMware Tanzu Service Mesh to better “understand which applications components are talking to which using APIs.”
- Cisco reported it patched vulnerability in the RV132W ADSL2+ Wireless-N VPN Routers and RV134W VDSL2 Wireless-AC VPN Routers. The flaw could allow an attacker to execute code or restart affected devices unexpectedly.
- Tutor LMS, a popular WordPress plugin for a learning-management system for teacher-student communication, had SQL-injection vulnerabilities, WordFencee reported.
- Jannis Kirschner, an independent security researcher from Switzerland, while googling, found malware disguising itself as the popular messaging application Telegram.
- We saw two new phishing campaigns. In one – reported by Area1 Security – attackers lure victims with Microsoft Office 365-themed emails in an attempt to capitalize on the hype surrounding SolarWinds attacks.
- In another phishing campaign, reported by MalwareHunterTeam, attackers used JavaScript to see if the victim is visiting the website from a headless machine in order to evade detection.
- U.S. District Court in Seattle charged Till Kottmann, who hijacked footage from Verkada video cameras, with “computer intrusion and identity and data theft activities spanning 2019 to the present.”
- A novel form of the sandbox reported by Swiss cybersecurity firm Prodaft. Cyberattackers from SilverFish are using a victim’s network to determine detection rates of their payloads.
- Chile’s Comisión para el Mercado Financiero (CMF) was the latest victim of the ProxyLogon flaws in Microsoft Exchange Server this week.
- A new malware, dubbed by Proofpoint researchers as CopperStealer, was reported targeting the users of Google, Amazon, Facebook, and Apple to steal their accounts.
- SentinelLabs reported the flaw in Xcode that allowed hackers to inject malware, dubbed XcodeSpy, into Xcode projects. Cybercriminals exploit the Run Script feature in the IDE to attack iOS developers.
- Microsoft reported it’s investigating whether one of its MAPP program was a source of a leak that led to the exploitation of vulnerabilities in Exchange Servers. It is possible Microsoft’s cybersecurity partner in China leaked Microsoft’s PoC code after which the attacks started.
- As PoC exploits for ProxyLogon flaws in Microsoft Exchange Servers are posted online, researchers warn cyber-activity against Microsoft Exchange Servers is likely to accelerate.
- Palo Alto reported a new Mirai variant that was targeting known flaws in D-Link, Netgear, and SonicWall devices and undiscovered flaws in IoT devices.
- Sucuri reported a novel method hackers use to steal payment card data from online stores in which the bad actors hide it in a JPG image stored on the compromised website.
- The Spanish police seized an app that broadcasted pirate video streams and secretly sold users’ personal data and turned smartphones into proxies and DDoS botnets.
- Cybereason reported attackers looking for quick money this year’s tax season targeting US taxpayers with NetWire and Remcos trojans.
- Two Polish government websites were hacked to spread false information about a radioactive cloud from Lithuania threatening citizens in Poland.
- Wordfence researchers found critical flaws in two popular WordPress plugins – Elementor and WP Super Cache – with total 7 to 9 million websites could have been compromised.
- Hackread reported Guns.com database leaked that included administrator, WordPress, and Cloud login credentials in plain-text format; however, no credit card numbers or VCC numbers had been stolen or leaked.
